Restricting access for Cloudera services that create their own security groups on AWS

The security groups that you select to use during environment registration are only used for the Data Lake, FreeIPA, Cloudera Data Hub clusters, and Cloudera Operational Databases running in that environment. The Kubernetes-based Cloudera services (Cloudera Data Engineering, Cloudera DataFlow, Cloudera Data Warehouse, and Cloudera AI) create their own security groups with rules that should be restricted separately.

The following table explains where and when you can restrict these rules:

Cloudera service Type of access that can be restricted When and where to restrict Link to related documentation
Cloudera DataFlow Admin access to the Kubenetes API Server endpoint can be restricted.

End user access can be restricted.

Restrict admin access to Kubernetes endpoints during or after enabling Cloudera DataFlow via the Kubernetes API Server Endpoint Access setting.

Restrict end user access to the the Cloudera DataFlow endpoints during or after enabling Cloudera DataFlow via the Load Balancer Endpoint Access setting.

.

Enabling DataFlow for an environment

Managing Kubernetes API Server user access

Cloudera Data Engineering Admin access to Kubenetes endpoints can be restricted.

End user access can only be restricted manually from the AWS management console.

Restrict admin access to Kubernetes endpoints during enabling Cloudera Data Engineering via the Whitelist IPs parameter.

Restrict end user access manually from the AWS management console.

Enabling Cloudera Data Engineering

and

Limiting Incoming Endpoint Traffic for Data Engineering Services

Cloudera Data Warehouse Both admin access to Kubernetes endpoints and end user access are always set to the same range that can be set in environment activation settings.

While the access to the Kubernetes endpoints is a combination of the Cloudera Control Plane’s CIDR and your CIDR provided in environment activation settings, the access to the end user access points (JDBC, UI) is only your CIDR provided in environment activation settings.

In Cloudera Data Warehouse environment’s activation settings. Restricting access to endpoints in AWS environments

and

Editing the IP CIDRs in the trusted list for endpoints in AWS environments

Cloudera AI There are two separate options, one for admin access to Kubernetes endpoints and another for end user access. During Cloudera AI workbench provisioning, under Network Settings:
  • The Load Balancer Source Ranges parameter can be used to restrict end user access.
  • Selecting the checkmark Restrict access to Kubernetes API server to authorized IP ranges allows you to restrict admin access to Kubernetes endpoints.
Provisioning Cloudera AI workbenches